Skip to content

Commit

Permalink
Expand the session attribute filtering options
Browse files Browse the repository at this point in the history
- new option to filter based on implementation class of value
- new option to log a warning message if an attribute is filtered out
- always log a message at at least debug level if an attribute is filtered out
This is part 1 of 2 of the fix for CVE-2016-0714

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1725263 13f79535-47bb-0310-9956-ffa450edef68
  • Loading branch information
markt-asf committed Jan 18, 2016
1 parent 9bb9beb commit 824eb1d
Show file tree
Hide file tree
Showing 7 changed files with 256 additions and 18 deletions.
16 changes: 16 additions & 0 deletions java/org/apache/catalina/ha/session/mbeans-descriptors.xml
Original file line number Diff line number Diff line change
Expand Up @@ -314,6 +314,14 @@
name="sessionAttributeNameFilter"
descritpion="The string pattern used for including session attributes in replication. Null means all attributes are included."
type="java.lang.String"/>
<attribute
name="sessionAttributeValueClassNameFilter"
description="The regular expression used to filter session attributes based on the implementation class of the value. The regular expression is anchored and must match the fully qualified class name."
type="java.lang.String"/>
<attribute
name="warnOnSessionAttributeFilterFailure"
description="Should a WARN level log message be generated if a session attribute fails to match sessionAttributeNameFilter or sessionAttributeClassNameFilter?"
type="boolean"/>
<operation
name="expireSession"
description="Expired the given session"
Expand Down Expand Up @@ -536,6 +544,14 @@
name="sessionAttributeNameFilter"
descritpion="The string pattern used for including session attributes in replication. Null means all attributes are included."
type="java.lang.String"/>
<attribute
name="sessionAttributeValueClassNameFilter"
description="The regular expression used to filter session attributes based on the implementation class of the value. The regular expression is anchored and must match the fully qualified class name."
type="java.lang.String"/>
<attribute
name="warnOnSessionAttributeFilterFailure"
description="Should a WARN level log message be generated if a session attribute fails to match sessionAttributeNameFilter or sessionAttributeClassNameFilter?"
type="boolean"/>
<operation
name="expireSession"
description="Expired the given session"
Expand Down
2 changes: 2 additions & 0 deletions java/org/apache/catalina/session/LocalStrings.properties
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,8 @@ JDBCStore.missingDataSourceName=No valid JNDI name was given.
JDBCStore.commitSQLException=SQLException committing connection before closing
managerBase.container.noop=Managers added to containers other than Contexts will never be used
managerBase.createSession.ise=createSession: Too many active sessions
managerBase.sessionAttributeNameFilter=Skipped session attribute named [{0}] because it did not match the name filter [{1}]
managerBase.sessionAttributeValueClassNameFilter=Skipped session attribute named [{0}] because the value type [{1}] did not match the filter [{2}]
managerBase.sessionTimeout=Invalid session timeout setting {0}
standardManager.loading=Loading persisted sessions from {0}
standardManager.loading.exception=Exception while loading persisted sessions
Expand Down
119 changes: 116 additions & 3 deletions java/org/apache/catalina/session/ManagerBase.java
Original file line number Diff line number Diff line change
Expand Up @@ -203,6 +203,10 @@ public abstract class ManagerBase extends LifecycleMBeanBase

private Pattern sessionAttributeNamePattern;

private Pattern sessionAttributeValueClassNamePattern;

private boolean warnOnSessionAttributeFilterFailure;


// ------------------------------------------------------------- Properties

Expand Down Expand Up @@ -257,6 +261,86 @@ protected Pattern getSessionAttributeNamePattern() {
}


/**
* Obtain the regular expression used to filter session attribute based on
* the implementation class of the value. The regular expression is anchored
* and must match the fully qualified class name.
*
* @return The regular expression currently used to filter class names.
* {@code null} means no filter is applied. If an empty string is
* specified then no names will match the filter and all attributes
* will be blocked.
*/
public String getSessionAttributeValueClassNameFilter() {
if (sessionAttributeValueClassNamePattern == null) {
return null;
}
return sessionAttributeValueClassNamePattern.toString();
}


/**
* Provides {@link #getSessionAttributeValueClassNameFilter()} as a
* pre-compiled regular expression pattern.
*
* @return The pre-compiled pattern used to filter session attributes based
* on the implementation class name of the value. {@code null} means
* no filter is applied.
*/
protected Pattern getSessionAttributeValueClassNamePattern() {
return sessionAttributeValueClassNamePattern;
}


/**
* Set the regular expression to use to filter classes used for session
* attributes. The regular expression is anchored and must match the fully
* qualified class name.
*
* @param sessionAttributeValueClassNameFilter The regular expression to use
* to filter session attributes based on class name. Use {@code
* null} if no filtering is required. If an empty string is
* specified then no names will match the filter and all
* attributes will be blocked.
*
* @throws PatternSyntaxException If the expression is not valid
*/
public void setSessionAttributeValueClassNameFilter(String sessionAttributeValueClassNameFilter)
throws PatternSyntaxException {
if (sessionAttributeValueClassNameFilter == null ||
sessionAttributeValueClassNameFilter.length() == 0) {
sessionAttributeValueClassNamePattern = null;
}
sessionAttributeValueClassNamePattern =
Pattern.compile(sessionAttributeValueClassNameFilter);
}


/**
* Should a warn level log message be generated if a session attribute is
* not persisted / replicated / restored.
*
* @return {@code true} if a warn level log message should be generated
*/
public boolean getWarnOnSessionAttributeFilterFailure() {
return warnOnSessionAttributeFilterFailure;
}


/**
* Configure whether or not a warn level log message should be generated if
* a session attribute is not persisted / replicated / restored.
*
* @param warnOnSessionAttributeFilterFailure {@code true} if the
* warn level message should be generated
*
*/
public void setWarnOnSessionAttributeFilterFailure(
boolean warnOnSessionAttributeFilterFailure) {
this.warnOnSessionAttributeFilterFailure = warnOnSessionAttributeFilterFailure;
}


@Override
public Context getContext() {
return context;
Expand Down Expand Up @@ -719,10 +803,39 @@ protected void changeSessionId(Session session, String newId,
@Override
public boolean willAttributeDistribute(String name, Object value) {
Pattern sessionAttributeNamePattern = getSessionAttributeNamePattern();
if (sessionAttributeNamePattern == null) {
return true;
if (sessionAttributeNamePattern != null) {
if (!sessionAttributeNamePattern.matcher(name).matches()) {
if (getWarnOnSessionAttributeFilterFailure() || log.isDebugEnabled()) {
String msg = sm.getString("managerBase.sessionAttributeNameFilter",
name, sessionAttributeNamePattern);
if (getWarnOnSessionAttributeFilterFailure()) {
log.warn(msg);
} else {
log.debug(msg);
}
}
return false;
}
}

Pattern sessionAttributeValueClassNamePattern = getSessionAttributeValueClassNamePattern();
if (value != null && sessionAttributeValueClassNamePattern != null) {
if (!sessionAttributeValueClassNamePattern.matcher(
value.getClass().getName()).matches()) {
if (getWarnOnSessionAttributeFilterFailure() || log.isDebugEnabled()) {
String msg = sm.getString("managerBase.sessionAttributeValueClassNameFilter",
name, value.getClass().getName(), sessionAttributeNamePattern);
if (getWarnOnSessionAttributeFilterFailure()) {
log.warn(msg);
} else {
log.debug(msg);
}
}
return false;
}
}
return sessionAttributeNamePattern.matcher(name).matches();

return true;
}


Expand Down
16 changes: 16 additions & 0 deletions java/org/apache/catalina/session/mbeans-descriptors.xml
Original file line number Diff line number Diff line change
Expand Up @@ -132,6 +132,14 @@
descritpion="The string pattern used for including session attributes in distribution. Null means all attributes are included."
type="java.lang.String"/>

<attribute name="sessionAttributeValueClassNameFilter"
description="The regular expression used to filter session attributes based on the implementation class of the value. The regular expression is anchored and must match the fully qualified class name."
type="java.lang.String"/>

<attribute name="warnOnSessionAttributeFilterFailure"
description="Should a WARN level log message be generated if a session attribute fails to match sessionAttributeNameFilter or sessionAttributeClassNameFilter?"
type="boolean"/>

<operation name="backgroundProcess"
description="Invalidate all sessions that have expired."
impact="ACTION"
Expand Down Expand Up @@ -319,6 +327,14 @@
descritpion="The string pattern used for including session attributes in distribution. Null means all attributes are included."
type="java.lang.String"/>

<attribute name="sessionAttributeValueClassNameFilter"
description="The regular expression used to filter session attributes based on the implementation class of the value. The regular expression is anchored and must match the fully qualified class name."
type="java.lang.String"/>

<attribute name="warnOnSessionAttributeFilterFailure"
description="Should a WARN level log message be generated if a session attribute fails to match sessionAttributeNameFilter or sessionAttributeClassNameFilter?"
type="boolean"/>

<operation name="backgroundProcess"
description="Invalidate all sessions that have expired."
impact="ACTION"
Expand Down
7 changes: 7 additions & 0 deletions webapps/docs/changelog.xml
Original file line number Diff line number Diff line change
Expand Up @@ -207,6 +207,13 @@
well as unload to ensure that configuration changes made while the web
application is stopped are applied to any persisted data. (markt)
</add>
<add>
Extend the session attribute filtering options to include filtering
based on the implementation class of the value and optional
<code>WARN</code> level logging if an attribute is filtered. These
options are avaialble for all of the Manager implementations that ship
with Tomcat. (markt)
</add>
</changelog>
</subsection>
<subsection name="Coyote">
Expand Down
67 changes: 56 additions & 11 deletions webapps/docs/config/cluster-manager.xml
Original file line number Diff line number Diff line change
Expand Up @@ -77,17 +77,6 @@
when session attributes are being replicated or removed across Tomcat
nodes in the cluster.
</attribute>
<attribute name="sessionAttributeNameFilter" required="false">
A regular expression used to filter which session attributes will be
replicated. An attribute will only be replicated if its name matches
this pattern. If the pattern is zero length or <code>null</code>, all
attributes are eligible for replication. The pattern is anchored so the
session attribute name must fully match the pattern. As an example, the
value <code>(userName|sessionHistory)</code> will only replicate the
two session attributes named <code>userName</code> and
<code>sessionHistory</code>. If not specified, the default value of
<code>null</code> will be used.
</attribute>
<attribute name="maxInactiveInterval" required="false">
<p>The initial maximum time interval, in seconds,
between client requests before a session is invalidated. A negative value
Expand Down Expand Up @@ -184,6 +173,26 @@
effective only when <code>sendAllSessions</code> is <code>false</code>.
Default is <code>2000</code> milliseconds.
</attribute>
<attribute name="sessionAttributeNameFilter" required="false">
<p>A regular expression used to filter which session attributes will be
replicated. An attribute will only be replicated if its name matches
this pattern. If the pattern is zero length or <code>null</code>, all
attributes are eligible for replication. The pattern is anchored so the
session attribute name must fully match the pattern. As an example, the
value <code>(userName|sessionHistory)</code> will only replicate the
two session attributes named <code>userName</code> and
<code>sessionHistory</code>. If not specified, the default value of
<code>null</code> will be used.</p>
</attribute>
<attribute name="sessionAttributeValueClassNameFilter" required="false">
<p>A regular expression used to filter which session attributes will be
replicated. An attribute will only be replicated if the implementation
class name of the value matches this pattern. If the pattern is zero
length or <code>null</code>, all attributes are eligible for
replication. The pattern is anchored so the fully qualified class name
must fully match the pattern. If not specified, the default value of
<code>null</code> will be used.</p>
</attribute>
<attribute name="stateTimestampDrop" required="false">
When this node sends a <code>GET_ALL_SESSIONS</code> message to other
node, all session messages that are received as a response are queued.
Expand All @@ -195,6 +204,14 @@
If set to <code>false</code>, all queued session messages are handled.
Default is <code>true</code>.
</attribute>
<attribute name="warnOnSessionAttributeFilterFailure" required="false">
<p>If <strong>sessionAttributeNameFilter</strong> or
<strong>sessionAttributeValueClassNameFilter</strong> blocks an
attribute, should this be logged at <code>WARN</code> level? If
<code>WARN</code> level logging is disabled then it will be logged at
<code>DEBUG</code>. The default value of this attribute is
<code>false</code>.</p>
</attribute>
</attributes>
</subsection>
<subsection name="org.apache.catalina.ha.session.BackupManager Attributes">
Expand All @@ -218,13 +235,41 @@
another map.
Default value is <code>15000</code> milliseconds.
</attribute>
<attribute name="sessionAttributeNameFilter" required="false">
<p>A regular expression used to filter which session attributes will be
replicated. An attribute will only be replicated if its name matches
this pattern. If the pattern is zero length or <code>null</code>, all
attributes are eligible for replication. The pattern is anchored so the
session attribute name must fully match the pattern. As an example, the
value <code>(userName|sessionHistory)</code> will only replicate the
two session attributes named <code>userName</code> and
<code>sessionHistory</code>. If not specified, the default value of
<code>null</code> will be used.</p>
</attribute>
<attribute name="sessionAttributeValueClassNameFilter" required="false">
<p>A regular expression used to filter which session attributes will be
replicated. An attribute will only be replicated if the implementation
class name of the value matches this pattern. If the pattern is zero
length or <code>null</code>, all attributes are eligible for
replication. The pattern is anchored so the fully qualified class name
must fully match the pattern. If not specified, the default value of
<code>null</code> will be used.</p>
</attribute>
<attribute name="terminateOnStartFailure" required="false">
Set to true if you wish to terminate replication map when replication
map fails to start. If replication map is terminated, associated context
will fail to start. If you set this attribute to false, replication map
does not end. It will try to join the map membership in the heartbeat.
Default value is <code>false</code> .
</attribute>
<attribute name="warnOnSessionAttributeFilterFailure" required="false">
<p>If <strong>sessionAttributeNameFilter</strong> or
<strong>sessionAttributeValueClassNameFilter</strong> blocks an
attribute, should this be logged at <code>WARN</code> level? If
<code>WARN</code> level logging is disabled then it will be logged at
<code>DEBUG</code>. The default value of this attribute is
<code>false</code>.</p>
</attribute>
</attributes>
</subsection>
</section>
Expand Down
Loading

0 comments on commit 824eb1d

Please sign in to comment.